Logical Profiles in ISE 1.2.1

I´m having trouble understanding the Logical Profiles. 
What I understand from the user guide: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#58510
for those to lazy to read: 
You can use the logical profile in an authorization policy condition to help create an overall network access policy for a category of profiles. You can create a simple condition for authorization, which can be included in the authorization rule. The attribute-value pair that you can use in the authorization condition is the logical profile (attribute) and the name of the logical profile (value), which can be found in the EndPoints systems dictionary.
so I thought that meant that I can group Different Profiles (Apple Iphone, Ipad, Ipod) together into a logical group e.g. "BYOD_Idevice" and use this logical profile in the Authorization. 
But I can´t choose this freshly created Logical Group in the Authorization Condition. As for the fact, I can´t choose this logical group ANYWHERE. 
Leaning back and thinking about it - it somehow makes sense. In the Authorization, you don´t pick Profiles, you choose Identity endpoints. So whats the point about the logical profiles? I was hoping to clean/lean up my authorization rules with them. But for what would I use them else? 
Or is this a bug in ise 1.2.1? Not sure if I should call tac about this, or if I´m just not getting it :D
Thanks alot for your help!  

Nice username! :)
So yes, you are correct, the logical profiles would allow you to group different type of dynamically profiled devices and then reference that profile in your authorization rules. However, you won't see those logical profiles under the "Identity Group Details" section. You will need to leave that field blank. Instead, you need to look in the "second" condition box: expression > Endpoint > LogicalProfile
Hope this helps!
Thank you for rating helpful posts!

Similar Messages

  • Logical Profiles in ISE 1.2

    I created a logical profiles group that is assigned with the Apple-ipad, Apple-iPhone and Apple-iDevice policies. Now ISE will not update the feed policies for the three devices. This is the message that I recieved from ISE when it does it Feed Polices update, I use the logical profiles group matching for authentication and authorization. Is there any way for me to update these feed polices? Thanks for the help!!
    Feed Version 1 policies downloaded.
    Total number of feed polices to apply are 3.
    Feed policies total 3 skipped.
    Feed policies warning message : Apple-Device has been changed by admin.
    Apple-Device:Apple-iDevice has been changed by admin.
    Apple-Device:Apple-iPad has been changed by admin.

    Hello Toua,
    Please Verify switch configuration for those network segments where endpoints are not being appropriately profiled to ensure that:
    •The required information to profile the endpoint is being sent to Cisco ISE for it to profile.
    •Probes are configured on the network Policy Service node entities.
    •Verify that packets are received at the Cisco ISE profiler module by running the tcpdump function at Operations > Troubleshoot > Diagnostic Tools > General Tools > Tcpdump.
    Note If you are observing this issue with endpoints on a WAN collected by HTTP, Netflow, and NMAP, ensure that the endpoint IP address has been updated with a RADIUS/DHCP Probe before other attributes are updated using the above probes
    For more information, please visit the following link:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html#wp192504

  • SWSE logical profile apply don't crete virtual directories

    Hello,
    I have installed Siebel 8.2 server on my Windows 7 machine.
    I have completed install &configuration for Gateway Name Server, Siebel Enterprise Server, Sieber Server & SWSE.
    All servers & Oracle database services are running.
    After applying SWSE logical profile virtual directories are not getting created in IIS.
    PFB configuration used while applying SWSE logical profile.
    AppServerHostName=windows7test
    ConfigMode=VERT
    ConfigTask=ConfigureSWSEPhysical
    current_section=
    current_step=Response
    DeployedLanguage=ENU
    DoubleQuote="
    eappscfgExists=C:\siebel\8.2.2.0.0\ses\gtwysrvr\admin\Webserver\eapps.cfg
    eappsprofile=C:\siebel\8.2.2.0.0\ses\gtwysrvr\admin\Webserver
    EnableVirtualHosts=false
    EnterpriseServer=
    EVTWelcome=Configuration Wizard Hint: Siebel Bookshelf provides searchable documentation. For EVT command-line help run evt -? or EVT -h.
    first_section=InitialSetup
    first_step=MainTask
    GatewayAddress=
    GatewayCreateDefaultRead=
    GatewayUseDefaultRead=
    HostName=windows7test
    LoadBalancerOption=SingleServer
    LoadBalancingServer=windows7test:2321
    MainTask=Create
    OperatingSystem=windows 7
    OSDirSeparator=\
    OSType=x86
    RequestComponent=SRMSynch
    RequestServer=
    SCBPort=2321
    SiebelBinDir=c:\siebel\8.2.2.0.0\sweapp\bin
    SiebelDbsrvrRoot=c:\siebel\8.2.2.0.0\sweapp\dbsrvr
    SiebelEncryption=
    SiebeLibDir=c:\siebel\8.2.2.0.0\sweapp\lib
    SiebelInstalledDir=c:/siebel/8.2.2.0.0/sweapp
    SiebelLanguage=ENU
    SiebelLogArch=
    SiebelLogDir=
    SiebelLogEvents=
    SiebelLogFile=
    SiebelMaxThreads=
    SiebelMsgDir=c:\siebel\8.2.2.0.0\sweapp\locale\enu
    SiebelPassword=
    SiebelProgName=
    SiebelRoot=c:\siebel\8.2.2.0.0\sweapp
    SiebelRootParm=-h c:\siebel\8.2.2.0.0\sweapp
    SiebelTableOwner=
    SiebelTempDir=c:\siebel\8.2.2.0.0\sweapp\temp
    SiebelUser=
    SiebelVersion=8.2.2 SIA [22314] ENU
    SWSERoot=c:\siebel\8.2.2.0.0\sweapp
    SWSEServer=c:\siebel\8.2.2.0.0\sweapp\Admin\Webserver
    TraceLevel=1
    UnicodeEnable=
    WindowsSystemRoot=C:\Windows\system32
    I am logged in as Admin user of my windows 7 machine.
    I have provided read/write permission on entired C:\siebel directory for windows Admin user as well as IIS_USRS.
    IIS version is 7.5.7600.16385.
    Please help me dig down what may be going wrong.
    Thanks,
    Harshal

    Hello,
    As I see this version of IIS comes as a default with Windows 7.
    I tried to look how it can be downgraded to IIS 6 but no help.
    So can you please tell me how we can user siebel web services in such case?
    Is there any other web server component in siebel that we can use instead of IIS or any settings in IIS 7?
    Thanks,
    Harshal

  • During applying SWSE logical profile, I have the error.

    Recently, We installed IBM HTTPServer version 7.0, and I patched siebel from 8.1.1.3 to 8.1.1.7
    after that I create new SWSE logical profile in Enterprise configration scm,
    and try apply the logical profile in SWSE configration scm.
    but, had a "Excution failed"
    this is error log in sw_cfg_util.log
    2021 2012-06-15 20:28:18 0000-00-00 00:00:00 +0900 00000000 001 003f 0001 09 sw_cfg_util 22347972 2314 /siebel/sba81/siebsrvr/log/sw_cfg_util.log
    GenericLog     GenericError     1     000000024fdb00c4:0     2012-06-15 20:28:18     Error in transferring input values ,num of arrays incorrect 0, expected : 1
    GenericLog     GenericError     1     000000024fdb00c4:0     2012-06-15 20:28:18     TransferInputsToValues returned error:3611539 to SetControlValues
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: ConfigMode
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: MainTask
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: MainTaskCreate
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: SWSERoot
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: GatewayUseDefaultRead
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: GatewayCreateDefaultRead
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: InputSWSEServerName
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: TRACELEVELDEFAULT
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: DeployedLanguage
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: SiebelRootUnix
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: DoubleQuote
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: GatewayAddress
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: EnterpriseServer
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: RequestComponent
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: RequestServer
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: LoadBalancerOption
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: AppServerHostName
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: SCBPort
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: EnableVirtualHosts
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: LoadBalancingServer
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: eappscfgExists
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: eappscfgExists
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: WebServerInstance
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:20     Executing step: WriteWebServerInstance
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:22     Executing step: ApplyValuescfg
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:23     Executing step: ApplyValuescfgSIA
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:23     Executing step: RestartWebServer
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:23     Executing step: ShutdownApacheServer
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:25     Executing step: CopyFiles
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:27     (ossystem.cpp (96) err=255 sys=0) : (ossystem.cpp: 96) error code = 255, system error = 0, msg1 = (null), msg2 = (null), msg3 = (null), msg4 = (null)
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:27     Step CopyFiles: failed to run program %%SiebelRoot%%%%OSDirSeparator%%install_script%%OSDirSeparator%%install%%OSDirSeparator%%GetLibraries with cmdline %%SiebelRoot%% %%WebServerInstance%%
    GenericLog     GenericError     1     000000034fdb00c4:0     2012-06-15 20:28:27     Failed during Execution, err: 255
    Siebel : 8.1.1.7
    IBM HTTPServer : 7.0
    AIX : 6.1
    SWSE logical profile directory : /siebel/sba81/gtwysrvr/admin/Webserver
    Webserver instance diretory : /siebel/IBM/HTTPServer7.0
    HTTPServer7.0 diretory, sub diretory, files : Owner is "siebel"(When installed, owner is "root", after we changed owner is "siebel")
    sba81 diretory, sub diretory, files : Owner is "siebel"
    So, Both of them, Owner is same.
    I think "Step CopyFiles" is the main problem.
    or directory name is wrong? HTTPServer7.0 => Can't i use dot in directory name?
    How do i solve the problem?
    plz, help me......
    thanks.
    Edited by: user990218 on 2012. 6. 15 오후 7:23

    Thanks for your answer.
    I tried it your advice.
    but, sw_cfg_util.log massage is same before.
    enericLog     GenericError     1     000000034fde00c6:0     2012-06-18 09:56:26     Executing step: ApplyValuescfgSIA
    GenericLog     GenericError     1     000000034fde00c6:0     2012-06-18 09:56:26     Executing step: RestartWebServer
    GenericLog     GenericError     1     000000034fde00c6:0     2012-06-18 09:56:26     Executing step: ShutdownApacheServer
    GenericLog     GenericError     1     000000034fde00c6:0     2012-06-18 09:56:28     Executing step: CopyFiles
    GenericLog     GenericError     1     000000034fde00c6:0     2012-06-18 09:56:30     (ossystem.cpp (96) err=255 sys=0) : (ossystem.cpp: 96) error code = 255, system error = 0, msg1 = (null), msg2 = (null), msg3 = (null), msg4 = (null)
    GenericLog     GenericError     1     000000034fde00c6:0     2012-06-18 09:56:30     Step CopyFiles: failed to run program %%SiebelRoot%%%%OSDirSeparator%%install_script%%OSDirSeparator%%install%%OSDirSeparator%%GetLibraries with cmdline %%SiebelRoot%% %%WebServerInstance%%
    GenericLog     GenericError     1     000000034fde00c6:0     2012-06-18 09:56:30     Failed during Execution, err: 255
    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

  • VPN device profiling issue ISE In Line with ASA

    Hi all,
    We have an inline posture ISE which is acting as a radius server for authenticating VPN client through our ASA.
    However because VPN client do not send thier MAC like they do when wireless and wired clients, the ISE cannot profile based on MAC as it dOes by default.
    Has anyone come accross this issue and have another way of profiling VPN devices?
    Thanks
    Mario

    Please review the below links which might be helpful :
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_ipep_deploy.html

  • Connection to the Guest Profile using ISE...!!!

    Hi,
    I'm involved in the rollout for ISE. While trying to connect to the Guest profile using the browser, it gets connected to the Guest profile, after authenticating the credentials. But after some time, the connection gets disconnected automatically and this happens on and on, even if the client is not roaming.
    And the second problem is that, when the client roams, it asks for the credentials again to get connected  to the Guest profile. Is this the usual behaviour or are there any problems.?
    It would be really helpful if someone could help me with this.

    About the first problem, please check the "session timeout" timer in your ssid configuration. By default it's 30 minutes so every 30 minutes you would have to re-authenticate. In my deployments I configure this parameter to 12 hours to avoid this kind of problems
    About the roaming issue, I think currently this is the normal behavior. I think with ISE 1.2 guest authentication will be improved. I will check on that.
    Please rate if this helps

  • ISE 1.2 Profiling - User Agent attribute incorrect

    Hi all,
    Just troubleshooting some profiling issues and have found that multiple devices are profiling incorrectly eg MAC OSX profiling as Apple-Device. Basically the issue is the user-agent string profiled by ISE is incorrect meaning that only the OUI is matched. During the BYOD onboarding process, non Internet Browser, applications and services (games and OCSP Daemons etc) are presenting their specific user-agent strings eg "OCSPD\1.0.2" to ISE resulting in incorrect profiling.
    Does anybody have any suggestions on how to resolve this issue as it is resulting in about 50% of devices been profiled at the "top level" ie Apple-Device or Windows Workstation (anything based on User-Agent). Can any one explain whether profiler works on the basis of first agent received, last agent received and why it doesn't hold onto a list of presented agents to make a decision? In my mind this is a pretty big issue in that some of the more popular device profiling policies are based on a user-agent string thus potentially preventing you from defining tight Authz policies eg IPAD only etc

    "Unless you have suppression configured, ISE will continue to collect profiling data and will re-profile a device as long as a rule with higher certainty factor is hit. However, if the certainty factor is the same the device will remain at its originally profiled group."
    The suppression feature will not affect the re-profiling of a device.  The suppression only affects the logging on the MnT node.  Since the Profiling is a PSN function the suppression has no affect on the outcome of a profiling event. 
    You are correct in that a rule with a higher certainty factor "wins" and this is the profile that is chosen.  Again, an understanding of how profiles work is not the issue here.  
    For example say only the RADIUS and HTTP probes are being utilized for an endpoint.  There are two endpoints one is a iPad and the other an iPhone.  The endpoint attributes that are known about the device are the MAC OUI and the useragent. 
    Based on the default profiling rules there are two three things that need to be identified either an iPhone or an iPad.  The first common item is that the MAC OUI is identified as apple.  This increases the certainty factor by 10.  The second is either the HTTP User agent containing either iPad/iPhone or the DHCP hostname containing either iPad/iPhone.  Both of those conditions would increase the certainty factor by 20 for a total of 30.  Since DHCP is not being used in this example we can remove that for a possibility and say that for an iPhone to be profiled as an iPhone it must both have a MAC OUI of apple and the useragent must contain iPhone.  Same goes for iPad, but iPad in the useragent. 
    Like smcbridebpc stated every application that uses HTTP will have a useragent string.  The profiler rules assume that the useragent that is being used contains either the word iPhone or iPad to distinguish these types of devices.  If an application on the device sends a useragent string such as  "OCSPD\1.0.2" which is obviously the OCSP Daemon.  This useragent string is "stuck" on the endpoint and no other usable useragents can be used to profile the device.  Therefore a race condition exists and depending on the application that wins determines if the profiler will be accurate or not.   
    The only two solutions that I can think of would be to have a useragent filter that would allow you to manually filter out useragents like "OCSPD\1.0.2" (or the ISE developers could filter known unusable user agents out on the backend)  OR everytime a new useragent is presented to the profiler for a device the useragent is joined to a list of useragents. 
    If the useragent was overwritten everytime a new useragent was presented then it would cause the device to be reclassified everytime the different applications presented useragents which would not be good.  
    It does look like a bug may have been filed and marked as fixed in release pending, but the bug notes do not list enough information to identify if this is the same issue that we are seeing.
    https://tools.cisco.com/bugsearch/bug/CSCuj45373

  • ISE Authorization profile

    I am trying to create an authorization profile in ISE. My vlan for that profile is 50. When I try to add the Tag ID as 50 it is not allowing me to do so.
    The message I am getting is : “Tag ID should contain only numerical value and in the range 0-31. How can the vlan be 0”. How to deal with this issue when my vlan ids are higher then 31.
    I was wondering if anyone else had similar issue? Or am I missing anything.
    Ds

  • ISE Profiling Deployment

    We are starting a ISE deployment to segregate mobile devices (Iphones and IPads, initially) from corporate notebooks. We have a single SSID and two separate vlans, one for mobile devices and another for corporate notebooks, assigned by ISE. We successfully setup profiling in lab environment, with a few devices, but when we put in production  we had problems with devices not being profiled correctly. Since devices are not profiled their access are denied. Since devices are denied the cannot be profiled because ISE doesn´t see any traffic (DHCP, HTTP) from clients.
    What strategy are you using to deploy ISE profiling? Must I put ISE to listen our network for some time before segregating access?

    Hi
    I've had the same problem with first time users being denied, that's due to ise not being able to profile before it denies.
    I think they should come up with something that will profile devices then continue the authentication process.
    Someone mentioned doing a re-auth for couple of seconds. (see attached pic how the authorization rule looks like), that could save you from people being denied for the first time, but if your device is never being profiled then it will just spin there all the time re-authenticating.
    What you could do is also setup an unrouted VLAN and all the unknown devices stay there until profiled.
    I've talked to cisco and they recommened the same thing so I guess that's it for now
    What we have done before deploying ISE and it worked pretty good is I have forwarded all DHCP traffic to ISE before deploying ISE at that particular site, so DHCP forwarding ran for few days and I've already had their devices in my database and when I deployed it, it worked pretty neat
    By forwarding all dhcp requests I mean:
    We have Active Directory and DHCP servers centrally located, so in the router config I've added helper address to ISE ip address and that's it
    Now WLC 7.3 has DHCP PROFILING and HTTP PROFILING options.
    Http profiling sends first https packets to ISE and capturing USER-Agent string, that helps if you browse with safari, but if you use any other application that uses http traffic it will end up totally wrong.
    example you connect with your iphone to wifi and open up VIBER, ISE will capture viber_blabla_smth as user agent and will not profile accurately.
    Hope it helps

  • ISE CWA Time Profiles

    Hi
    Trying to make ISE CWA with WLC2500 to work according to guest time profiles.
    - When suspend guest users in ISE they still can connect and it seems that there is no communications between WLC and ISE (i suspect that ISE will communicate to WLC regarding this)
    - Then creating a guest user with "OnlyFirstLogin".... the user is still connected after shutdown/restart..
    I'm aware of the WLC timeout settings, but not sure if there are in play with CWA
    Any who knows about these time profiles in ISE regards to WLC
    Thx
    Kasper

    Please review the below links which might be helpful:
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/February2012/SBA_Ent_BN_BYOD-GuestWirelessAccessDeploymentGuide-February2012.pdf
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html
    http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_guest_pol.pdf

  • WLC, FlexConnect, ISE: Dynamic VLAN not working

    Hi,
    Not sure if this is a WLC or ISE problem, but since I am unsure of the WLC config I will try here first.
    Equipment:
    WiSM2 7.2.111.3
    ISE 1.1.1.268
    AP 3502 in FlexConnect
    What I want to achive:
    One SSID, multiple VLAN
    Devices gets profiled in ISE and based on type of device it gets asigned to a VLAN
    Problem:
    When the device connects the first time it ends up in native VLAN and not switched to the right VLAN, but when I reconnect then it is added to the right VLAN.
    WLC config (I know you like images so here you go ):
    I must be missing something but I can't figure out what. I will be attaching a debug aaa event enable for when the client connect the first time.
    In ISE I have an Authorization Profile that just say VLAN ID/Tag 158 (the VLAN that the device should go to) an it is added to the Authorization rule of the profiled device. CoA is set to Reauth.
    When the client connects I get three events in ISE:
    1.
    Authentication failed :
    22056 Subject not found in the applicable identity store(s)
    2. Authentication Success. With the results:
    UserName=00:18:DE:A2:BC:3A
    User-Name=00-18-DE-A2-BC-3A
    State=ReauthSession:c20e8b2f0000027e50ed27f8
    Class=CACS:c20e8b2f0000027e50ed27f8:ISE01/144259326/671335
    Termination-Action=RADIUS-Request
    Tunnel-Type=(tag=1) VLAN
    Tunnel-Medium-Type=(tag=1) 802
    Tunnel-Private-Group-ID=(tag=1) 158
    cisco-av-pair=profile-name=AX-Intel-Device
    3.
    Dynamic Authorization failed :
    11213 No response received from Network Access Device
    Has anyone got this to work? Do I need to add FlexConnect groups? If so then why?
    Regards,
    Philip

    I think you're hitting CSCua58554
    The bugtoolkit description is horrible....  From what I recall when I ran into it, I believe that Flex connect is having a problem with Mac filtering based AAA override on open wlans (and/or CWA based).  In general, AAA override works fine when it is from like an eap authentication.
    We had to use a 7.3 ES to resolve it.....
    Looks like it is implemented in 7.4 though.....     If you dont want to join the 7.4 bandwagon quite yet, you might could ask TAC for an ES of 7.3,  don't think they have a 7.2 build.

  • ISE and WLC for posture remediation

    Please can anybody clarify a few things in relation to ISE and wireless posture.
    1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an ACL to redirect only some traffic to kickoff posture checking?
    2) Can/Should a dACL/wACL be specified as a remediation ACL?
    3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?)
    4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)?
    5) Any other advice or pointers would be helpful too as no docs i have found so far, be it TrustSec2, CiscoLive or anything else, dont seem to help me understand WLC posture and remediation
    thanks
    Nick

    Nick,
    Answers are inline:
    1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an  ACL to redirect only some traffic to kickoff posture checking? This is for both (if ports 8905..are included) then this is for initial redirection, and remediation
    2) Can/Should a dACL/wACL be specified as a remediation ACL? Wireless does not support DACL, you will have to reference another ACL in the the authorization policy, the new versions have the Airespace ACL field, where you will have the ACL defined locally on the wlc.
    3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?) Yes you have to add two entries, for example for all traffic redirection to ise...source = any, destination=iseipadd, source port=any, destination port=any direction=any action=permit
    source=iseipaddr, destination ip = any, source port=any, destination port=any, direction=any action permit. Its not the easiest but I will attach a screenshot that will show you my example.
    4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)? ISE doesnt support DACLs so when you build your authorization profile in ISE you select the web authentication type (Posture Discovery) after that the ACL field will come up, there you will "call" the posture ACL which is defined on your controller.
    5)  Any other advice or pointers would be helpful too as no docs i have  found so far, be it TrustSec2, CiscoLive or anything else, dont seem to  help me understand WLC posture and remediation Keep in mind that you have to have radius NAC and AAA override enabled under the advanced settings for COA to work.
    You have to turn on COA under the global settings in ISE (Administration > Profiling > Coa Type > Reauth)
    Then you have to build your policies so that when a user connects to the network they are redirected to the download the nac agent (this is where the Posture Discovery and redirect ACL work in tandem).
    Once the client download the nac agent and is compliant the report is forwarded to ISE where a COA event is triggered.
    Then the client will reauthenticate and will hit another policy that will give them access once their machine is compliant, you can set the ACLs for restricted access, use dynamic vlan assignment, or just send the access-accept.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Cisco ISE Active Endpoint Usage Reset

    Hi,
    I have a Cisco ISE running version 1.1 and I was wondering if it may be possible to reset the license usage/active endpoint shown on the dashboard? This was noticed after a restore of ISE due to replacement of hardware and I noticed that the license usage count/active endpoints does not seems to go down.
    The following methods have been tried however without any success:
    1. Reboot ise server/service
    2. Disable all network devices making use of ise such that there are no clients/devices accessing it; example switch/wlc/etc...
    3. Deleted all endpoints usage in identies/identies group
    4. Disable profiling on ise
    As the ise has been installed with a base license; not too sure if it may be either a bad restore (all service/application are working though) / bad radius accounting which does not timed out on the ise / etc...
    Any help is appreciated on how to reset the active endpoint/license usage.
    Thanks.                  

    Here is a method for removing the stale records. Please give this a try:
    http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1072950
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ISE Auth policy based on MAC OUI and SSID

    I was blocking certain consumer mobile devices from my production WLAN on ACS using this process -
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
    The MAC OUI is referenced in the CLI field of the NAR, and the SSID is in the DNIS field.
    Anyone know how to do this on ISE?  Two questions -
    1) I can match based on WLAN-ID, but not SSID.  My WLAN-IDs for the same SSID don't match between controllers.  Do I need to change this and make sure all WLAN-IDs map to the same SSID on each controller?  Or, is there a different attribute I can use that refers to the SSID?
    2) What attribute do you use in ISE Authorization conditions to match OUI?  And can I match a list of OUIs?

    1) I have never seen the actual SSID name anywhere in the radius attributes coming from the controller, i always use airespace-wlan-id, and if you wan't to avoid creating multiple rules, make the id's the same on all controllers.
    2) Well OUI is part of the mac, so you could maybe use RegEX to filter out specific OUI's. Another way, if you have advanced license, would be to use Profiling, then ISE would do all the hard work of classifying what device is attempting to connect, and you could use that in your authoriz. policy ex . "Profiled:Iphone"

  • Unable to open the auth web of the ISE when pushing CA to Android phones

    Hi GUYS,
    I have got a problem when pushing CA to Android phones from Win 2008, i have already connected to my SSID and got the IP, then i open my browser and enter http://1.1.1.1, the web is redirected to the Device Self-regist like https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=nsp, however this website cannot be visited. my ACL in the WLC is correctly configured which has the access to my ISE like permit ip any host 10.10.10.70 and permit ip host 10.10.10.70 any. My authorization profile in ISE is configured as "Web authentication       supplicant provision      ACL    'my ACL'". Everything goes on for now is OK but the website of Device Self-regist cannot be visited.
    My ISE version is as belows:
    ise/admin# show version
    Cisco Application Deployment Engine OS Release: 2.0
    ADE-OS Build Version: 2.0.4.018
    ADE-OS System Architecture: i386
    Copyright (c) 2005-2011 by Cisco Systems, Inc.
    All rights reserved.
    Hostname: ise
    Version information of installed applications
    Cisco Identity Services Engine
    Version      : 1.1.3.124
    Build Date   : Thu Feb  7 06:55:38 2013
    Install Date : Thu Mar 28 05:22:23 2013   
    ise/admin#
    Can anyone help me with this? Thanks a lot!!!

    Hi guys,
    I have resolved this.
    My ise has been upgraded from version 1.1.1 to 1.1.3 several days ago. The URL in the 1.1.1 is like http://ise-111.demo.com/xxx while which in the 1.1.3 is like http://ise.demo.com, so i forgot to change the DNS resolution in my DNS server, and after that everything is OK now
    Sent from Cisco Technical Support Android App

Maybe you are looking for